--- Description: Customized SSM Quick Setup to support centralized Cloudwatch configuration distribution and update Metadata: Version: '1.1' Parameters: CloudWatchConfigBucketARN: Type: String Default: '' Description: "(Required) S3 Bucket Name containing standard CloudWatch configurations" QSType: Type: String AllowedValues: - LA - TA - MA Default: TA Description: "(Required) Specifies the type of the QuickSetup: either local or organizational." QSConfigurationId: Type: String Default: 'LoggingMonitoringQS' Description: "(Required) Unique identifier of the deployed configuration." QSGlobalResourcesRegion: Type: String Default: '' Description: "(Required) Name of the region to deploy global resources like S3 buckets." QSPrincipalOrgId: Type: String Default: '' Description: "(Optional) The ID of the principal organization in which master account is operating." UpdateSsmAgent: Type: String Default: 'false' AllowedValues: - 'true' - 'false' Description: "(Optional) Whether the SSM agent should be periodically updated (every 2 weeks)." CollectInventory: Type: String Default: 'false' AllowedValues: - 'true' - 'false' Description: "(Optional) Whether inventory should be periodically collected (every 30 minutes)." ScanInstances: Type: String Default: 'false' AllowedValues: - 'true' - 'false' Description: "(Optional) Whether instances should be periodically scanned for patches (every day)." InstallCloudWatchAgent: Type: String Default: 'true' AllowedValues: - 'true' - 'false' Description: "(Optional) Whether the CloudWatch agent should be installed." UpdateCloudWatchAgent: Type: String Default: 'true' AllowedValues: - 'true' - 'false' Description: "(Optional) Whether the CloudWatch agent should be periodically updated (every 30 days)." IsPolicyAttachAllowed: Type: String Default: 'false' AllowedValues: - 'true' - 'false' Description: "(Optional) Whether Quicksetup is allowed to attach policies to existing Instance profiles" ProvidedInstanceProfileName: Type: String Default: '' Description: "(Optional) Specifies the instance profile Name provided by the user when QSType=LA." ProvidedAssumeRoleArn: Type: String Default: "*" Description: "(Optional) Specifies the automation assume role Arn provided by the user when QSType=LA." TargetType: Type: String Default: "*" AllowedValues: - Tags - InstanceIds - "*" - ResourceGroups Description: "(Optional) Specifies the way in which instances are targeted - applies only for local QuickSetup." TargetInstances: Type: String Default: "*" Description: "(Optional) Specifies the instances to be targeted when QSType=LA and TargetType=InstanceIds." TargetTagKey: Type: String Default: '' Description: "(Optional) Specifies the tag key of instances to be targeted when QSType=LA and TargetType=Tags" TargetTagValue: Type: String Default: '' Description: "(Optional) Specifies the tag value of instances to be targeted when QSType=LA and TargetType=Tags" ResourceGroupName: Type: String Default: '' Description: "(Optional) Specifies the resource group name to be targeted when QSType=LA and TargetType=ResourceGroups" Conditions: CreateUpdateSsmAgentAssociation: Fn::Equals: - Ref: UpdateSsmAgent - 'true' CreateCollectInventoryAssociation: Fn::Equals: - Ref: CollectInventory - 'true' CreateScanInstancesAssociation: Fn::Equals: - Ref: ScanInstances - 'true' CreateInstallAndManageCloudWatchAgentAssociation: Fn::Equals: - Ref: InstallCloudWatchAgent - 'true' UpdateCloudWatchAgentAssociation: Fn::Equals: - Ref: UpdateCloudWatchAgent - 'true' ShouldUpdateCloudWatchAgent: Fn::Equals: - Ref: UpdateCloudWatchAgent - 'true' AtLeastOneAssociationCreated: Fn::Or: - Fn::Equals: - Ref: UpdateSsmAgent - 'true' - Fn::Equals: - Ref: CollectInventory - 'true' - Fn::Equals: - Ref: ScanInstances - 'true' - Fn::Equals: - Ref: InstallCloudWatchAgent - 'true' - Fn::Equals: - Ref: UpdateCloudWatchAgent - 'true' IsTagValueNotSpecified: Fn::Equals: - Ref: TargetTagValue - '' IsTagKeyAndValueTargeted: Fn::And: - Fn::Equals: - Ref: QSType - LA - Fn::Equals: - Ref: TargetType - Tags - Fn::Not: - Condition: IsTagValueNotSpecified IsTagKeyOnlyTargeted: Fn::And: - Fn::Equals: - Ref: QSType - LA - Fn::Equals: - Ref: TargetType - Tags - Condition: IsTagValueNotSpecified IsResourceGroupTargeted: Fn::And: - Fn::Equals: - Ref: QSType - LA - Fn::Equals: - Ref: TargetType - ResourceGroups IsOrgQuickSetup: Fn::Equals: - Ref: QSType - TA IsNoAutomationAssumeRoleProvided: Fn::Or: - Fn::Equals: - Ref: QSType - TA - Fn::Equals: - Ref: ProvidedAssumeRoleArn - "*" IsNoInstanceProfileProvided: Fn::Or: - Fn::Equals: - Ref: QSType - TA - Fn::Equals: - Ref: ProvidedInstanceProfileName - '' IsInstanceProfileProvided: Fn::Not: - Condition: IsNoInstanceProfileProvided TargetAllAutomation: Fn::Equals: - Ref: TargetInstances - "*" TargetAll: Fn::Equals: - Ref: TargetInstances - "*" Resources: CloudWatchConfigS3BucketPolicy: Type: AWS::IAM::ManagedPolicy Properties: Description: This policy grants access to the S3 bucket used for storing standard CloudWatch configuration files ManagedPolicyName: !Sub "CloudWatchConfigS3BucketPolicy-${AWS::Region}" PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - s3:GetObject - s3:GetObjectVersion - s3:ListBucket Resource: - !Ref CloudWatchConfigBucketARN - !Sub "${CloudWatchConfigBucketARN}/*" RoleForAutomation: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - ssm.amazonaws.com Action: - sts:AssumeRole Policies: - PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - iam:ListRoles - config:DescribeConfigurationRecorders - compute-optimizer:GetEnrollmentStatus - support:DescribeTrustedAdvisorChecks Resource: "*" - Effect: Allow Action: - ssm:UpdateServiceSetting - ssm:GetServiceSetting Resource: - Fn::Join: - '' - - 'arn:' - Ref: AWS::Partition - !Sub ":ssm:${AWS::Region}:${AWS::AccountId}:servicesetting/ssm/opsitem/ssm-patchmanager" - Fn::Join: - '' - - 'arn:' - Ref: AWS::Partition - !Sub ":ssm:${AWS::Region}:${AWS::AccountId}:servicesetting/ssm/opsitem/EC2" - Fn::Join: - '' - - 'arn:' - Ref: AWS::Partition - !Sub ":ssm:${AWS::Region}:${AWS::AccountId}:servicesetting/ssm/opsdata/ExplorerOnboarded" - Fn::Join: - '' - - 'arn:' - Ref: AWS::Partition - !Sub ":ssm:${AWS::Region}:${AWS::AccountId}:servicesetting/ssm/opsdata/Association" - Fn::Join: - '' - - 'arn:' - Ref: AWS::Partition - !Sub ":ssm:${AWS::Region}:${AWS::AccountId}:servicesetting/ssm/opsdata/ComputeOptimizer" - Fn::Join: - '' - - 'arn:' - Ref: AWS::Partition - !Sub ":ssm:${AWS::Region}:${AWS::AccountId}:servicesetting/ssm/opsdata/ConfigCompliance" - Fn::Join: - '' - - 'arn:' - Ref: AWS::Partition - !Sub ":ssm:${AWS::Region}:${AWS::AccountId}:servicesetting/ssm/opsdata/OpsData-TrustedAdvisor" - Fn::Join: - '' - - 'arn:' - Ref: AWS::Partition - !Sub ":ssm:${AWS::Region}:${AWS::AccountId}:servicesetting/ssm/opsdata/SupportCenterCase" - Effect: Allow Action: - iam:CreateServiceLinkedRole Resource: Fn::Join: - '' - - 'arn:' - Ref: AWS::Partition - !Sub ":iam::${AWS::AccountId}:role/aws-service-role/ssm." - Ref: AWS::URLSuffix - "/AWSServiceRoleForAmazonSSM" Condition: StringEquals: iam:AWSServiceName: ssm.amazonaws.com PolicyName: SSMQuickSetupEnableExplorerInlinePolicy - PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - ssm:GetAutomationExecution - ec2:DescribeIamInstanceProfileAssociations - ec2:DisassociateIamInstanceProfile - ec2:DescribeInstances - ssm:StartAutomationExecution - iam:GetInstanceProfile - iam:ListInstanceProfilesForRole Resource: "*" - Effect: Allow Action: - iam:AttachRolePolicy Resource: "*" Condition: ArnEquals: iam:PolicyARN: - arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore - arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy - arn:aws:iam::aws:policy/AmazonSSMPatchAssociation - !Ref CloudWatchConfigS3BucketPolicy - Effect: Allow Action: - iam:AddRoleToInstanceProfile Resource: - Fn::Join: - '' - - 'arn:' - Ref: AWS::Partition - !Sub ":iam::${AWS::AccountId}:instance-profile/AmazonSSMRoleForInstancesQuickSetup" - Effect: Allow Action: - ec2:AssociateIamInstanceProfile Resource: "*" Condition: StringEquals: ec2:NewInstanceProfile: - Fn::If: - IsInstanceProfileProvided - !Ref ProvidedInstanceProfileName - !Ref AWS::NoValue - Fn::Join: - '' - - 'arn:' - Ref: AWS::Partition - !Sub ":iam::${AWS::AccountId}:instance-profile/AmazonSSMRoleForInstancesQuickSetup" - Effect: Allow Action: - iam:CreateInstanceProfile Resource: - Fn::Join: - '' - - 'arn:' - Ref: AWS::Partition - !Sub ":iam::${AWS::AccountId}:instance-profile/AmazonSSMRoleForInstancesQuickSetup" - Effect: Allow Action: - iam:PassRole - iam:GetRole Resource: - Fn::Join: - '' - - 'arn:' - Ref: AWS::Partition - !Sub ":iam::${AWS::AccountId}:role/AmazonSSMRoleForInstancesQuickSetup" - Fn::Join: - '' - - 'arn:' - Ref: AWS::Partition - !Sub ":iam::${AWS::AccountId}:role/AWS-QuickSetup-HostMgmtRole-" - Ref: AWS::Region - "-" - Ref: QSConfigurationId - Effect: Allow Action: - iam:CreateRole Resource: - Fn::Join: - '' - - 'arn:' - Ref: AWS::Partition - !Sub ":iam::${AWS::AccountId}:role/AmazonSSMRoleForInstancesQuickSetup" - Effect: Allow Action: - iam:PutRolePolicy Resource: - Fn::Join: - '' - - 'arn:' - Ref: AWS::Partition - !Sub ":iam::${AWS::AccountId}:role/AmazonSSMRoleForInstancesQuickSetup" PolicyName: Fn::Join: - '' - - AWS-QuickSetup-SSMHostMgmt-CreateAndAttachRoleInlinePolicy- - Ref: AWS::Region - "-" - Ref: QSConfigurationId RoleName: Fn::Join: - '' - - AWS-QuickSetup-HostMgmtRole- - Ref: AWS::Region - "-" - Ref: QSConfigurationId UpdateExistingInstanceProfile: Type: AWS::SSM::Document Properties: DocumentFormat: YAML Content: description: Composite document for Quick Setup Managing Instances association. This document updates the user provided instance profile with roles and policies schemaVersion: '0.3' assumeRole: "{{AutomationAssumeRole}}" parameters: AutomationAssumeRole: type: String # InstanceId: # type: String InstanceProfile: type: String mainSteps: - name: getRoleFromInstanceProfile action: aws:executeAwsApi inputs: Service: iam Api: GetInstanceProfile InstanceProfileName: "{{InstanceProfile}}" outputs: - Name: existingRoleName Selector: "$.InstanceProfile.Roles[0].RoleName" Type: String nextStep: attachAmazonSSMManagedInstanceCoreToExistingRole - name: attachAmazonSSMManagedInstanceCoreToExistingRole action: aws:executeAwsApi inputs: Service: iam Api: AttachRolePolicy RoleName: "{{getRoleFromInstanceProfile.existingRoleName}}" PolicyArn: arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore nextStep: !Sub "attachCloudWatchConfigS3BucketPolicyToExistingRole" - inputs: RoleName: "{{getRoleFromInstanceProfile.existingRoleName}}" PolicyArn: !Ref CloudWatchConfigS3BucketPolicy Service: iam Api: AttachRolePolicy name: !Sub "attachCloudWatchConfigS3BucketPolicyToExistingRole" action: aws:executeAwsApi nextStep: attachCloudWatchAgentServerPolicyToExistingRole - name: attachCloudWatchAgentServerPolicyToExistingRole action: aws:executeAwsApi inputs: Service: iam Api: AttachRolePolicy RoleName: "{{getRoleFromInstanceProfile.existingRoleName}}" PolicyArn: arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy nextStep: attachAmazonSSMPatchAssociationToExistingRole - name: attachAmazonSSMPatchAssociationToExistingRole action: aws:executeAwsApi inputs: Service: iam Api: AttachRolePolicy RoleName: "{{getRoleFromInstanceProfile.existingRoleName}}" PolicyArn: arn:aws:iam::aws:policy/AmazonSSMPatchAssociation isEnd: true DocumentType: Automation Name: Fn::Join: - '' - - AWSQuickSetup-UpdateExistingInstanceProfile- - Ref: QSConfigurationId SystemAssociationForUpdateManagingInstances: Type: AWS::SSM::Association Properties: Name: Ref: UpdateExistingInstanceProfile AssociationName: Fn::Join: - '' - - AWS-QuickSetup-SSMHostMgmt-UpdateIAMForInstanceMgmt- - Ref: QSConfigurationId Parameters: AutomationAssumeRole: - Fn::If: - IsNoAutomationAssumeRoleProvided - Fn::GetAtt: - RoleForAutomation - Arn - Ref: ProvidedAssumeRoleArn InstanceProfile: - Ref: ProvidedInstanceProfileName Condition: IsInstanceProfileProvided # AutomationTargetParameterName: InstanceId # Targets: # Fn::If: # - IsOrgQuickSetup # - - Key: InstanceIds # Values: # - "*" # - Fn::If: # - IsTagKeyAndValueTargeted # - - Key: # Fn::Join: # - '' # - - 'tag:' # - Ref: TargetTagKey # Values: # - Ref: TargetTagValue # - Fn::If: # - IsTagKeyOnlyTargeted # - - Key: tag-key # Values: # - Ref: TargetTagKey # - Fn::If: # - IsResourceGroupTargeted # - - Key: ResourceGroup # Values: # - Ref: ResourceGroupName # - Fn::If: # - TargetAll # - - Key: InstanceIds # Values: # - "*" # - - Key: ParameterValues # Values: # Fn::Split: # - "," # - Ref: TargetInstances # ScheduleExpression: rate(30 days) # Condition: IsInstanceProfileProvided CreateAndAttachIAMToInstance: Type: AWS::SSM::Document Properties: DocumentFormat: YAML Content: description: Composite document for Quick Setup Managing Instances association. This document ensures IAM role for instance profile is created in account with all required policies schemaVersion: '0.3' assumeRole: "{{AutomationAssumeRole}}" parameters: AutomationAssumeRole: type: String InstanceId: type: String IsPolicyAttachAllowed: type: String ProvidedInstanceProfileName: type: String default: '' mainSteps: - name: getExistingRoleName action: aws:executeScript inputs: Runtime: python3.6 Handler: getInstanceProfileName InputPayload: InstanceId: "{{InstanceId}}" Script: |- import boto3 def getInstanceProfileName(events, context): ec2_client = boto3.client("ec2") response = ec2_client.describe_instances(InstanceIds=[events["InstanceId"]]) if 'IamInstanceProfile' in response['Reservations'][0]['Instances'][0]: return {'RoleName': response['Reservations'][0]['Instances'][0]['IamInstanceProfile']['Arn'].split('instance-profile/')[1]} return {'RoleName': 'NoRoleFound'} outputs: - Name: existingInstanceProfileRoleName Selector: "$.Payload.RoleName" Type: String nextStep: branchIfProfileExists - name: branchIfProfileExists action: aws:branch inputs: Choices: - NextStep: checkIfProvidedInstanceProfileName Variable: "{{getExistingRoleName.existingInstanceProfileRoleName}}" StringEquals: NoRoleFound Default: checkIfPolicyAttachAllowed - name: checkIfPolicyAttachAllowed action: aws:branch inputs: Choices: - NextStep: getRoleFromInstanceProfile Variable: "{{IsPolicyAttachAllowed}}" StringEquals: 'true' Default: createRoleIfNotExists - name: getRoleFromInstanceProfile action: aws:executeAwsApi inputs: Service: iam Api: GetInstanceProfile InstanceProfileName: "{{getExistingRoleName.existingInstanceProfileRoleName}}" outputs: - Name: existingRoleName Selector: "$.InstanceProfile.Roles[0].RoleName" Type: String nextStep: attachAmazonSSMManagedInstanceCoreToExistingRole - name: attachAmazonSSMManagedInstanceCoreToExistingRole action: aws:executeAwsApi inputs: Service: iam Api: AttachRolePolicy RoleName: "{{getRoleFromInstanceProfile.existingRoleName}}" PolicyArn: arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore nextStep: attachCloudWatchAgentServerPolicyToExistingRole - inputs: RoleName: "{{getRoleFromInstanceProfile.existingRoleName}}" PolicyArn: arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy Service: iam Api: AttachRolePolicy name: attachCloudWatchAgentServerPolicyToExistingRole action: aws:executeAwsApi nextStep: attachCloudWatchConfigS3BucketPolicyToExistingRole - inputs: RoleName: "{{getRoleFromInstanceProfile.existingRoleName}}" PolicyArn: !Ref CloudWatchConfigS3BucketPolicy Service: iam Api: AttachRolePolicy name: attachCloudWatchConfigS3BucketPolicyToExistingRole action: aws:executeAwsApi nextStep: attachAmazonSSMPatchAssociationToExistingRole - name: attachAmazonSSMPatchAssociationToExistingRole action: aws:executeAwsApi inputs: Service: iam Api: AttachRolePolicy RoleName: "{{getRoleFromInstanceProfile.existingRoleName}}" PolicyArn: arn:aws:iam::aws:policy/AmazonSSMPatchAssociation isEnd: true - name: checkIfProvidedInstanceProfileName action: aws:branch inputs: Choices: - NextStep: createRoleIfNotExists Variable: "{{ProvidedInstanceProfileName}}" StringEquals: '' Default: executeAttachProvidedInstanceProfileName - name: executeAttachProvidedInstanceProfileName action: aws:executeAutomation maxAttempts: 20 timeoutSeconds: 2 inputs: DocumentName: AWS-AttachIAMToInstance RuntimeParameters: RoleName: "{{ProvidedInstanceProfileName}}" ForceReplace: false AutomationAssumeRole: "{{ AutomationAssumeRole }}" InstanceId: "{{ InstanceId }}" isEnd: true - name: createRoleIfNotExists action: aws:executeAwsApi inputs: Service: iam Api: CreateRole Path: "/" RoleName: AmazonSSMRoleForInstancesQuickSetup AssumeRolePolicyDocument: '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"ec2.amazonaws.com"},"Action":"sts:AssumeRole"}]}' Description: EC2 role for SSM for Quick-Setup description: Create AmazonSSMRoleForInstancesQuickSetup Role For SSM Quick Setup onFailure: Continue nextStep: assertRoleForInstanceProfileExists - name: assertRoleForInstanceProfileExists action: aws:assertAwsResourceProperty inputs: Service: iam Api: GetRole PropertySelector: "$.Role.RoleName" DesiredValues: - AmazonSSMRoleForInstancesQuickSetup RoleName: AmazonSSMRoleForInstancesQuickSetup nextStep: attachAmazonSSMManagedInstanceCoreToRole - name: attachAmazonSSMManagedInstanceCoreToRole action: aws:executeAwsApi inputs: Service: iam Api: AttachRolePolicy RoleName: AmazonSSMRoleForInstancesQuickSetup PolicyArn: arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore nextStep: attachCloudWatchAgentServerPolicyToRole - inputs: RoleName: AmazonSSMRoleForInstancesQuickSetup PolicyArn: arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy Service: iam Api: AttachRolePolicy name: attachCloudWatchAgentServerPolicyToRole action: aws:executeAwsApi nextStep: attachCloudWatchConfigS3BucketPolicyToRole - inputs: RoleName: AmazonSSMRoleForInstancesQuickSetup PolicyArn: !Ref CloudWatchConfigS3BucketPolicy Service: iam Api: AttachRolePolicy name: attachCloudWatchConfigS3BucketPolicyToRole action: aws:executeAwsApi nextStep: attachAmazonSSMPatchAssociationToRole - name: attachAmazonSSMPatchAssociationToRole action: aws:executeAwsApi inputs: Service: iam Api: AttachRolePolicy RoleName: AmazonSSMRoleForInstancesQuickSetup PolicyArn: arn:aws:iam::aws:policy/AmazonSSMPatchAssociation nextStep: createInstanceProfileIfNotExists - name: createInstanceProfileIfNotExists action: aws:executeAwsApi inputs: InstanceProfileName: AmazonSSMRoleForInstancesQuickSetup Service: iam Api: CreateInstanceProfile onFailure: Continue nextStep: addRoleToInstanceProfile - name: addRoleToInstanceProfile action: aws:executeAwsApi inputs: InstanceProfileName: AmazonSSMRoleForInstancesQuickSetup RoleName: AmazonSSMRoleForInstancesQuickSetup Service: iam Api: AddRoleToInstanceProfile onFailure: Continue nextStep: executeAttachIAMToInstance - name: executeAttachIAMToInstance action: aws:executeAutomation maxAttempts: 20 timeoutSeconds: 2 inputs: DocumentName: AWS-AttachIAMToInstance RuntimeParameters: RoleName: AmazonSSMRoleForInstancesQuickSetup ForceReplace: false AutomationAssumeRole: "{{ AutomationAssumeRole }}" InstanceId: "{{ InstanceId }}" isEnd: true DocumentType: Automation # Name: # Fn::Join: # - '' # - - AWSQuickSetup-CreateAndAttachIAMToInstance- # - Ref: QSConfigurationId SystemAssociationForManagingInstances: Type: AWS::SSM::Association Properties: Name: Ref: CreateAndAttachIAMToInstance AssociationName: Fn::Join: - '' - - AWS-QuickSetup-SSMHostMgmt-AttachIAMToInstance- - Ref: QSConfigurationId Parameters: AutomationAssumeRole: - Fn::If: - IsNoAutomationAssumeRoleProvided - Fn::GetAtt: - RoleForAutomation - Arn - Ref: ProvidedAssumeRoleArn IsPolicyAttachAllowed: - Ref: IsPolicyAttachAllowed ProvidedInstanceProfileName: - Ref: ProvidedInstanceProfileName AutomationTargetParameterName: InstanceId Targets: Fn::If: - IsOrgQuickSetup - - Key: InstanceIds Values: - "*" - Fn::If: - IsTagKeyAndValueTargeted - - Key: Fn::Join: - '' - - 'tag:' - Ref: TargetTagKey Values: - Ref: TargetTagValue - Fn::If: - IsTagKeyOnlyTargeted - - Key: tag-key Values: - Ref: TargetTagKey - Fn::If: - IsResourceGroupTargeted - - Key: ResourceGroup Values: - Ref: ResourceGroupName - Fn::If: - TargetAll - - Key: InstanceIds Values: - "*" - - Key: ParameterValues Values: Fn::Split: - "," - Ref: TargetInstances ScheduleExpression: rate(30 days) Condition: IsNoInstanceProfileProvided SystemAssociationForEnablingExplorer: Type: AWS::SSM::Association Properties: Name: AWS-EnableExplorer AssociationName: Fn::Join: - '' - - AWS-QuickSetup-SSMHostMgmt-EnableExplorer- - Ref: QSConfigurationId Parameters: AutomationAssumeRole: - Fn::If: - IsNoAutomationAssumeRoleProvided - Fn::GetAtt: - RoleForAutomation - Arn - Ref: ProvidedAssumeRoleArn Condition: AtLeastOneAssociationCreated SystemAssociationForSsmAgentUpdate: Type: AWS::SSM::Association Properties: Name: AWS-UpdateSSMAgent AssociationName: Fn::Join: - '' - - AWS-QuickSetup-SSMHostMgmt-UpdateSSMAgent- - Ref: QSConfigurationId ScheduleExpression: rate(14 days) Targets: Fn::If: - IsOrgQuickSetup - - Key: InstanceIds Values: - "*" - Fn::If: - IsTagKeyAndValueTargeted - - Key: Fn::Join: - '' - - 'tag:' - Ref: TargetTagKey Values: - Ref: TargetTagValue - Fn::If: - IsTagKeyOnlyTargeted - - Key: tag-key Values: - Ref: TargetTagKey - Fn::If: - IsResourceGroupTargeted - - Key: resource-groups:Name Values: - Ref: ResourceGroupName - Fn::If: - TargetAll - - Key: InstanceIds Values: - "*" - - Key: InstanceIds Values: Fn::Split: - "," - Ref: TargetInstances Condition: CreateUpdateSsmAgentAssociation SystemAssociationForInventoryCollection: Type: AWS::SSM::Association Properties: Name: AWS-GatherSoftwareInventory AssociationName: Fn::Join: - '' - - AWS-QuickSetup-SSMHostMgmt-CollectInventory- - Ref: QSConfigurationId Parameters: applications: - Enabled awsComponents: - Enabled networkConfig: - Enabled instanceDetailedInformation: - Enabled windowsUpdates: - Enabled services: - Enabled windowsRoles: - Enabled customInventory: - Enabled ScheduleExpression: rate(30 minutes) Targets: Fn::If: - IsOrgQuickSetup - - Key: InstanceIds Values: - "*" - Fn::If: - IsTagKeyAndValueTargeted - - Key: Fn::Join: - '' - - 'tag:' - Ref: TargetTagKey Values: - Ref: TargetTagValue - Fn::If: - IsTagKeyOnlyTargeted - - Key: tag-key Values: - Ref: TargetTagKey - Fn::If: - IsResourceGroupTargeted - - Key: resource-groups:Name Values: - Ref: ResourceGroupName - Fn::If: - TargetAll - - Key: InstanceIds Values: - "*" - - Key: InstanceIds Values: Fn::Split: - "," - Ref: TargetInstances Condition: CreateCollectInventoryAssociation SystemAssociationForScanningPatches: Type: AWS::SSM::Association Properties: Name: AWS-RunPatchBaselineAssociation AssociationName: Fn::Join: - '' - - AWS-QuickSetup-SSMHostMgmt-ScanForPatches- - Ref: QSConfigurationId Parameters: Operation: - Scan ScheduleExpression: rate(1 day) SyncCompliance: MANUAL Targets: Fn::If: - IsOrgQuickSetup - - Key: InstanceIds Values: - "*" - Fn::If: - IsTagKeyAndValueTargeted - - Key: Fn::Join: - '' - - 'tag:' - Ref: TargetTagKey Values: - Ref: TargetTagValue - Fn::If: - IsTagKeyOnlyTargeted - - Key: tag-key Values: - Ref: TargetTagKey - Fn::If: - IsResourceGroupTargeted - - Key: resource-groups:Name Values: - Ref: ResourceGroupName - Fn::If: - TargetAll - - Key: InstanceIds Values: - "*" - - Key: InstanceIds Values: Fn::Split: - "," - Ref: TargetInstances Condition: CreateScanInstancesAssociation InstallAndManageCloudWatchDocument: Type: AWS::SSM::Document Properties: DocumentFormat: YAML Content: schemaVersion: "2.2" description: "A composite document for installing and configuring the CloudWatch Agent." parameters: sourceInfoWindows: description: "Amazon S3 bucket used to store CloudWatch configuration files" type: StringMap displayType: "textarea" default: path: Fn::Join: - '' - - 'https://s3.amazonaws.com/' - !Select [5, !Split [":", !Ref CloudWatchConfigBucketARN]] - '/config/standard/windows' sourceInfoLinux: description: "Amazon S3 bucket used to store CloudWatch configuration files" type: StringMap displayType: "textarea" default: path: Fn::Join: - '' - - 'https://s3.amazonaws.com/' - !Select [5, !Split [":", !Ref CloudWatchConfigBucketARN]] - '/config/standard/linux' mainSteps: - precondition: StringEquals: - platformType - Linux action: aws:runShellScript name: first inputs: runCommand: - sleep 300 - precondition: StringEquals: - platformType - Windows action: aws:runPowerShellScript name: second inputs: runCommand: - Start-Sleep -Seconds 300 - action: aws:runDocument name: installCWAgent inputs: documentType: SSMDocument documentPath: AWS-ConfigureAWSPackage documentParameters: action: Install name: AmazonCloudWatchAgent - action: "aws:runDocument" precondition: StringEquals: - platformType - Windows name: "StartCloudWatchWindows" inputs: documentType: "SSMDocument" documentPath: "AmazonCloudWatch-ManageAgent" documentParameters: action: "start" mode: "ec2" - action: "aws:runDocument" precondition: StringEquals: - platformType - Windows name: "StopCloudWatchWindows" inputs: documentType: "SSMDocument" documentPath: "AmazonCloudWatch-ManageAgent" documentParameters: action: "stop" mode: "ec2" - action: aws:downloadContent precondition: StringEquals: - platformType - Windows name: DownloadStandardCloudWatchConfigWindows inputs: sourceType: S3 sourceInfo: "{{ sourceInfoWindows }}" destinationPath: "C:\\ProgramData\\Amazon\\AmazonCloudWatchAgent\\Configs" - action: aws:runPowerShellScript precondition: StringEquals: - platformType - Windows name: DeleteEtagFilesWindows inputs: timeoutSeconds: '60' runCommand: - cd C:\\ProgramData\\Amazon\\AmazonCloudWatchAgent\\Configs - del /f /s *.etag - action: "aws:runDocument" precondition: StringEquals: - platformType - Windows name: "StartCloudWatchWindows2" inputs: documentType: "SSMDocument" documentPath: "AmazonCloudWatch-ManageAgent" documentParameters: action: "start" mode: "ec2" - action: "aws:runDocument" precondition: StringEquals: - platformType - Linux name: "StartCloudWatchLinux" inputs: documentType: "SSMDocument" documentPath: "AmazonCloudWatch-ManageAgent" documentParameters: action: "start" mode: "ec2" - action: "aws:runDocument" precondition: StringEquals: - platformType - Linux name: "StopCloudWatchLinux" inputs: documentType: "SSMDocument" documentPath: "AmazonCloudWatch-ManageAgent" documentParameters: action: "stop" mode: "ec2" - action: aws:downloadContent precondition: StringEquals: - platformType - Linux name: downloadStandardCloudWatchConfigLinux inputs: sourceType: S3 sourceInfo: "{{ sourceInfoLinux }}" destinationPath: "/opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.d" - action: aws:runShellScript precondition: StringEquals: - platformType - Linux name: DeleteEtagFilesLinux inputs: timeoutSeconds: '60' runCommand: - cd /opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.d - find . -name \*.etag -type f -delete - action: "aws:runDocument" precondition: StringEquals: - platformType - Linux name: "StartCloudWatchLinux2" inputs: documentType: "SSMDocument" documentPath: "AmazonCloudWatch-ManageAgent" documentParameters: action: "start" mode: "ec2" DocumentType: Command # Name: # Fn::Join: # - '' # - - AWSQuickSetup-InstallAndManageCloudWatchDocument- # - Ref: QSConfigurationId Condition: CreateInstallAndManageCloudWatchAgentAssociation SystemAssociationForInstallAndConfigureCloudWatchAgent: Type: AWS::SSM::Association Properties: Name: Ref: InstallAndManageCloudWatchDocument Parameters: sourceInfoWindows: - Fn::Join: - '' - - '{"path":' - '"https://s3.amazonaws.com/' - !Select [ 5, !Split [ ":", !Ref CloudWatchConfigBucketARN ] ] - '/config/standard/windows"' - '}' sourceInfoLinux: - Fn::Join: - '' - - '{"path":' - '"https://s3.amazonaws.com/' - !Select [ 5, !Split [ ":", !Ref CloudWatchConfigBucketARN ] ] - '/config/standard/linux"' - '}' AssociationName: Fn::Join: - '' - - AWS-QuickSetup-SSMHostMgmt-ManageCloudWatchAgent- - Ref: QSConfigurationId ScheduleExpression: Fn::If: - UpdateCloudWatchAgentAssociation - rate(30 days) - !Ref AWS::NoValue Targets: Fn::If: - IsOrgQuickSetup - - Key: InstanceIds Values: - "*" - Fn::If: - IsTagKeyAndValueTargeted - - Key: Fn::Join: - '' - - 'tag:' - Ref: TargetTagKey Values: - Ref: TargetTagValue - Fn::If: - IsTagKeyOnlyTargeted - - Key: tag-key Values: - Ref: TargetTagKey - Fn::If: - IsResourceGroupTargeted - - Key: resource-groups:Name Values: - Ref: ResourceGroupName - Fn::If: - TargetAll - - Key: InstanceIds Values: - "*" - - Key: InstanceIds Values: Fn::Split: - "," - Ref: TargetInstances Condition: CreateInstallAndManageCloudWatchAgentAssociation # UpdateCloudWatchDocument: # Type: AWS::SSM::Document # Properties: # DocumentFormat: YAML # Content: # schemaVersion: '2.2' # description: A composite document for updating CloudWatch agent. # mainSteps: ## - precondition: ## StringEquals: ## - platformType ## - Linux ## action: aws:runShellScript ## name: first ## inputs: ## runCommand: ## - sleep 1800 ## - precondition: ## StringEquals: ## - platformType ## - Windows ## action: aws:runPowerShellScript ## name: second ## inputs: ## runCommand: ## - Start-Sleep -Seconds 1800 # - action: aws:runDocument # name: installCWAgent # inputs: # documentType: SSMDocument # documentPath: AWS-ConfigureAWSPackage # documentParameters: '{"action":"Install","name" : "AmazonCloudWatchAgent"}' # DocumentType: Command ## Name: ## Fn::Join: ## - '' ## - - UpdateCloudWatchDocument- ## - Ref: QSConfigurationId # Condition: UpdateCloudWatchAgentAssociation # SystemAssociationForUpdateCloudWatchAgent: # Type: AWS::SSM::Association # Properties: # ApplyOnlyAtCronInterval: true # Name: # Ref: UpdateCloudWatchDocument # AssociationName: # Fn::Join: # - '' # - - AWS-QuickSetup-SSMHostMgmt-UpdateCloudWatchAgent- # - Ref: QSConfigurationId # ScheduleExpression: rate(30 days) # Targets: # Fn::If: # - IsOrgQuickSetup # - - Key: InstanceIds # Values: # - "*" # - Fn::If: # - IsTagKeyAndValueTargeted # - - Key: # Fn::Join: # - '' # - - 'tag:' # - Ref: TargetTagKey # Values: # - Ref: TargetTagValue # - Fn::If: # - IsTagKeyOnlyTargeted # - - Key: tag-key # Values: # - Ref: TargetTagKey # - Fn::If: # - IsResourceGroupTargeted # - - Key: resource-groups:Name # Values: # - Ref: ResourceGroupName # - Fn::If: # - TargetAll # - - Key: InstanceIds # Values: # - "*" # - - Key: InstanceIds # Values: # Fn::Split: # - "," # - Ref: TargetInstances # Condition: UpdateCloudWatchAgentAssociation #SystemAssociationForUpdateCloudWatchAgent: # Type: AWS::SSM::Association # Properties: # Name: # Ref: UpdateCloudWatchDocument # AssociationName: # Fn::Join: # - '' # - - AWS-QuickSetup-SSMHostMgmt-UpdateCloudWatchAgent- # - Ref: QSConfigurationId # ScheduleExpression: rate(30 days) # Targets: # Fn::If: # - IsOrgQuickSetup # - - Key: InstanceIds # Values: # - "*" # - Fn::If: # - IsTagKeyAndValueTargeted # - - Key: # Fn::Join: # - '' # - - 'tag:' # - Ref: TargetTagKey # Values: # - Ref: TargetTagValue # - Fn::If: # - IsTagKeyOnlyTargeted # - - Key: tag-key # Values: # - Ref: TargetTagKey # - Fn::If: # - IsResourceGroupTargeted # - - Key: resource-groups:Name # Values: # - Ref: ResourceGroupName # - Fn::If: # - TargetAll # - - Key: InstanceIds # Values: # - "*" # - - Key: InstanceIds # Values: # Fn::Split: # - "," # - Ref: TargetInstances # Condition: UpdateCloudWatchAgentAssociation